Third Party

Further reading DP22/3: Operational resilience: critical third parties to the UK financial sector | FCA UK DP3/22 – Operational resilience: Critical third parties to the UK financial sector | Bank of England Critical Third Parties - a new regulatory perimeter | PwC UK blog UK regulators provide further details on framework for oversight of critical third parties (UK DORA) | Ashurst Too Important to Fail: Regulating Critical Third Parties in the UK | Oxford Business Law Blog Financial Services and Markets Bill | UK Gov

Drivers Organisation relies increasingly on third parties, and their sub-contractors (fourth parties) Vendor information is currently collected via email and spreadsheet - hard to stay current, information goes missing, how to see full current picture (live dashboard?) TPRM overview (ServiceNow) Notes Replaces the previous Vendor Risk Management (VRM) module Launched with Vancouver release TPRM calculated score Fourth parties Risk intelligence feeds Tiering Assessment Due Diligence Record (DDR) Inherent Assessment (INA) Linked to Vendor Management module Transform map - set up one time or for recurring integration Roles Third party reader Third party editor Third party contract negotiator Due diligence approver Key Steps Initial onboarding AML / Sanctions / other onboarding steps Inherent Risk Questionnaire Risk assessment Issues & Task Management Internal assessment External assessment Approval of responses Contract risk Due diligence Assessment questions and Questionnaires Further reading Third-Party Risk Management - ServiceNow UK What you need to know about ServiceNow’s new Third Party Risk Management (TPRM) - AC3 Case Study on NTT - Implementation of ServiceNow Third-Party Risk Management - Nihilent (PDF) Trust but Verify: Streamlining Third-Party Risk with ServiceNow - Infocenter.io - provides good overview of TPRM module, benefits, features, implementation considerations

SS2/21 Outsourcing and Third Party Risk Management outlines the PRA’s expectations for managing risks associated with outsourcing and third-party arrangements, ensuring compliance, operational resilience, and the identification of key risks that may impact the organization’s internal control environment. (Published on 29 March 2021) Further reading Link to PRA website

Companies are rapidly integrating AI into their operations, from customer service chatbots to advanced analytics tools. And if organisations are using AI, then so are their third party vendors, the companies processing data on their behalf. Do we know how our vendors are using our data, and how will we manage that risk? AI and Third-Party Risk: What’s at Stake? AI amplifies third-party risk in several ways: Data Leakage: Information entered into AI tools could be stored, reused, or exposed. Are your inputs contributing to a model that may resurface these comments elsewhere? Opaque Data Practices: What AI systems are your third parties using? Are they using in-house proprietary models? How clear are you on data usage, retention, and any onward sharing? Model Vulnerabilities: If an AI model is compromised, its outputs could become inaccurate or biased, damaging trust and operations. What obligations do you have, and how do you manage this risk? Supply Chain Risks: Many AI solutions will rely on a network of sub-processors, expanding the risk landscape. Do you know where your data ends up? The Key Questions to Ask Yourself and Your Vendors To manage third-party risk effectively in the AI era, you need to ask the right questions: ...